Overview
- ReliaQuest reported medium-confidence evidence that threat actors exploited CVE-2024-12802 across multiple environments between February and March 2026, gaining access to networks where SonicWall Gen6 devices looked patched but were not fully reconfigured.
- The flaw stems from missing MFA enforcement for User Principal Name (UPN) logins, which lets an attacker with valid credentials authenticate without triggering the second factor.
- SonicWall’s advisory requires six manual LDAP reconfiguration steps on Gen6 devices after applying the firmware update because the vulnerable LDAP settings remain unless deleted and rebuilt.
- In the observed intrusions attackers brute-forced VPN credentials, bypassed MFA, performed fast reconnaissance, attempted to stage a Cobalt Strike beacon and a vulnerable driver, and in one case reached a domain-joined file server in about 30 minutes.
- Defenders should verify completion of SonicWall’s manual remediation steps or upgrade to Gen7/8 firmware, search for indicators such as sess="CLI" and event IDs 238 and 1080, and treat Gen6 appliances as higher risk since they reached end-of-life on April 16, 2026.